Data points to China as source of March RSA breach, wider attacks

Of the networks used to control the Flash-based attack on over 700 networks, …

When RSA executive chairman Art Coviello told attendees of the company’s conference in London two weeks ago that the March cyberattack on his company “could only have been perpetrated by a nation-state,” he refused to elaborate on which country that might be. Data shared with Congress by security experts, however, suggests strongly that the nation-state in question was China and that the infrastructure used in the attacks had been active long before RSA was breached.

Hackers used a zero-day Flash exploit, embedded in a spreadsheet sent through a “spear-phishing” attack, to gain access to RSA’s network and compromise information on RSA’s SecurID authentication tokens. But as security blogger Brian Krebs reports, over 700 organizations’ networks were found to be transmitting data back to the command-and-control networks used to coordinate the attack—including a number of ISPs, financial and technology firms, and government agencies. Reasearch In Motion, Cisco, Google, Northrop-Grumman, Charles Schwab, the General Services Adminstration, the Internal Revenue Service, and the State of Michigan were among the notable names on the list.

The data shared with congressional staffers also showed that of the over 300 C&C networks used to coordinate the Flash zero-day attacks, the vast majority—299 of them—were located in China. And the first communication with these networks dates back to November 2010, predating the known timeline of the Flash zero day by at least three months.

Wait, you can embed Flash in a spreadsheet? What the hell would that possibly be used for?

The mechanism's not really flash-specific, Excel spreadsheets allow you to embed Win32 COM objects in general, of which Flash is one possibility. Among other things, that capability exists in order to allow you to build compound documents (i.e. embedding part of a spreadsheet into a Word document or vice versa).

So, why does the Pentagon allow military contractors to have a presence on the internet, anyway, if the plans for the next generation of weapons can be stolen by China?

Yes, we shouldn't allow China to steal our weapon plans... they're supposed to *buy* them from us instead.

Actually, we're not all that keen usually on selling our technologies to people outside of NATO + Israel. We will do it sometimes, but usually only after it's a decade old.

They're not stealing anything. They're copying bits.

Although it is fairly terrifying to think that if they have enough access (and knowledge of backup methodologies) that they, or someone, could end up copying and then deleting -- possibly erasing years of R&D while building our weapons to use against us.

The Cyber Police can backtrace them. The consequences will never be the same.

However IHATENAMES has a good point and one that I've thought a lot about. I've not seen a news story affiliating the US with computer network operations. Is it just that China is more brazen? More active? Less regimented? Are such stories reported in foreign press but filtered out before they reach our (US) shores? It seems quite strange.

The Cyber Police can backtrace them. The consequences will never be the same.

However IHATENAMES has a good point and one that I've thought a lot about. I've not seen a news story affiliating the US with computer network operations. Is it just that China is more brazen? More active? Less regimented? Are such stories reported in foreign press but filtered out before they reach our (US) shores? It seems quite strange.

Well, what's the US going to do about it? So they have no reason not to do it.

The Cyber Police can backtrace them. The consequences will never be the same.

However IHATENAMES has a good point and one that I've thought a lot about. I've not seen a news story affiliating the US with computer network operations. Is it just that China is more brazen? More active? Less regimented? Are such stories reported in foreign press but filtered out before they reach our (US) shores? It seems quite strange.

Hacking is cheap, the benefits are enormous and the consequences of getting caught are laughable. It makes sense for China to engage on this front.

I think you read about China getting caught all the time vs. the U.S. because it's one of China's primary intelligence gathering mechanisms. If China wants to know how Lockheed Martin's latest DoD contract is going, they hack them. If the U.S. is interested how a PLA project is chugging along they take a peek through one of their high priced space cameras or squeeze one of their informants.

EDIT:

aquasub wrote:

Well, what's the US going to do about it? So they have no reason not to do it.

The U.S. government will be very, very angry with them. And they'll send them a letter, telling them how angry they are.

So, why does the Pentagon allow military contractors to have a presence on the internet, anyway, if the plans for the next generation of weapons can be stolen by China?

I might be wrong but I think the military has been using the internet (or rather, its predecessors) longer than the public. Having said that, they probably should keep important data off the web.

Didn't the government say that it was going to treat hacking by nation-states as acts of war? Whatever happened to that? Not that I'm in favor of going at it with China, but you shouldn't say stuff like that if you're just going to keep ignoring it.

Good news I get from this is that the US will need / hire more programmers and security specialist as this stuff starts to get more publicity and the public becomes aware. I have to get better at programming fast. To Protect America I must.

So, why does the Pentagon allow military contractors to have a presence on the internet, anyway, if the plans for the next generation of weapons can be stolen by China?

I might be wrong but I think the military has been using the internet (or rather, its predecessors) longer than the public. Having said that, they probably should keep important data off the web.

Didn't the government say that it was going to treat hacking by nation-states as acts of war? Whatever happened to that? Not that I'm in favor of going at it with China, but you shouldn't say stuff like that if you're just going to keep ignoring it.

They can do so covertly. They do not need to operate out in public. I'm sure there's retalliatory hacking going on even as I type this...

So, why does the Pentagon allow military contractors to have a presence on the internet, anyway, if the plans for the next generation of weapons can be stolen by China?

There's a big difference between having a presence on the internet and having secret weapon plans accessible on the web. Classified data is supposed to be "air gapped", as in completely electrically and physically isolated from any other computer system or network, with very strict rules about what can cross the barrier.

Obviously, people can screw up, or be enticed or coerced into giving up information by foreign intelligence services, but in principle there isn't supposed to be any way to reach the "good stuff" from the Internet, or even a compromised corporate network.

ok that out of the way .... It was obvious from everyone that it was china to begin with, and now that the run to find the information is coming down with the fingers (at least one for sure) pointing at them. now what? is the president going to back up his words he started with the use of force for cyber attack? or more probable be the lame-duck he has been since, well always?

So, why does the Pentagon allow military contractors to have a presence on the internet, anyway, if the plans for the next generation of weapons can be stolen by China?

There's a big difference between having a presence on the internet and having secret weapon plans accessible on the web. Classified data is supposed to be "air gapped", as in completely electrically and physically isolated from any other computer system or network, with very strict rules about what can cross the barrier.

Obviously, people can screw up, or be enticed or coerced into giving up information by foreign intelligence services, but in principle there isn't supposed to be any way to reach the "good stuff" from the Internet, or even a compromised corporate network.

The danger is probably more widespread than we think. Keeping in mind prior studied have confirmed that contractors that use China for manufacturing alone face significant defective rates; up to 50% implying that the finished product can have extensive problems to begin with.

That said while it doesn't imply that can steal the technology outright, it gives snipits and, like in the case of security breaches, they've yielded windfalls for China. The biggest example is China's stealth fighter, a technology many experts have noted that China couldn't have either developed yet and their military technology hasn't allowed for development. Many point to prior breaches in security and the design and features of China's stealth jet as examples as to tech stolen.

We just really need to cut ties more to China, with the whole rare earth issue at hand to what we have as far as technology production for the military, its a question of national interest intertwined with security. There are some areas we should re-evaluate as far as what businesses can do overseas.

Yes, it was pretty much assumed from the start that Chinese hackers were involved in the RSA attack. What's surprising isn't that it *is* China, or that it was a much broader attack. What's surprising is how little they apparently did to cover their tracks by spreading C&C.

Of course everyone thinks it's China. But seriously, even if it were proven what is the world gonna do? Sanctions? Military action?

The only thing that might happen is a relatively strongly worded speech by Obama and that's about it. And to be frank that's all that should happen. Too much is wrong with this world to start screwing with China. /deal with it, learn from it and move on

The biggest threat is probably not military (though that could change if China starts trying to take over areas of the South China Sea that have oil and are contested by several other nations), but is industrial and economic.

If a company spends billions on R&D, and a Chinese company, through some 'mysterious' method comes out with the same product at the same time, but without the R&D expense, guess which company goes out of business? Guess where everyone's money goes?

Hey, more money for aircraft carriers for the South China Sea, or maybe even that Taiwan invasion.

(but heck, they're testing our security, so this is a good thing, right?)

Yes, it was pretty much assumed from the start that Chinese hackers were involved in the RSA attack. What's surprising isn't that it *is* China, or that it was a much broader attack. What's surprising is how little they apparently did to cover their tracks by spreading C&C.

Hold those horses. China, with its tens of millions of users running no-password admin account unpatched pirated Windows XP, is a *goldmine* for anyone wanting to set up a bot net.

So while it is indeed unsurprising that this (and most) attacks come from Chinese IP addresses, it's a *very* long bow to draw to imply that it is "the Chinese" who are doing the attacks.

"How little they did to cover their tracks" is, in my view, even stronger evidence that this was foreign bot-controllers, and not in fact "the Chinese" at all.

If you think C&C servers in China = the Chinese are the attackers, then you really suck at the Internet.

China has shitloads of unsecured PC equipped with old unpatched OS. And their law enforcement agencies tend to not cooperate with the FBI... Using China as a relay to launch an attack makes a lot of sense, for all the attackers around the World.The fact that the uninformed mass, in a relent of racism, will immediately blame China for the crime, is an added bonus.

Until they've reached the ultimate C&C master server (which is impossible if the attacker did a proper job) RSA shouldn't blame anyone but them for their incompetence.

Spoiler: show

Updated rules of the Internet : * dudes are dudes * girls are dudes * children are FBI agents * attackers are Chinese

No kidding. I saw a program a few years ago that said those aircraft were just falling in to disrepair. Now, Iran claims to have a whole operational squadron of the birds, made possible by reverse-engineering (and likely stealing) replacement parts.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.